I'm a technology, privacy, and information security reporter and most recently the author of the book This Machine Kills Secrets, a chronicle of the history and future of information leaks, from the Pentagon Papers to WikiLeaks and beyond.
I've covered the hacker beat for Forbes since 2007, with frequent detours into digital miscellania like switches, servers, supercomputers, search, e-books, online censorship, robots, and China. My favorite stories are the ones where non-fiction resembles science fiction. My favorite sources usually have the word "research" in their titles.
Since I joined Forbes, this job has taken me from an autonomous car race in the California desert all the way to Beijing, where I wrote the first English-language cover story on the Chinese search billionaire Robin Li for Forbes Asia. Black hats, white hats, cyborgs, cyberspies, idiot savants and even CEOs are welcome to email me at agreenberg (at) forbes.com. My PGP public key can be found here.

With an update from Skype below, addressing its fix for the security issue.

Microsoft is scrambling Wednesday to fix a security vulnerability that allowed anyone to hijack another user’s Skype account with a dead-simple trick. But if it had listened to one helpful user who reported a bug in its registration system months ago, it might have avoided the whole fiasco.

Microsoft-owned Skype disabled all password resets for users Wednesday as it works on a fix for a technique that appeared on several Russian Web websites showing how anyone can take over another user’s Skype account in a few easy steps, just by knowing the email address linked with that account. By registering a new Skype account to the target’s email address as and then manipulating the application’s password reset function, anyone can change the password for the target account rather than the new one they’ve just registered.

That account takeover technique exploits two oversights in Skype’s account management system, as illustrated in this helpful step-by-step guide. First, Skype allows anyone to register an account with someone else’s email address by failing to send a message to verify that the registrant has access to that address. And second, it assumes that any two accounts with the same email address are linked and have the same privileges to change the account’s password.

A Montenegro-based coder and startup founder named Dmitry Chestnykh noticed the first of these two flaws in early August, when someone set up a new Skype account and used his email address, likely by accident. After being surprised by a new “welcome” email from Skype, he contacted Skype’s customer support to point out the problem. After being told that “Skype takes security and privacy seriously,” he was transferred to another support department, where he laid out the problem in this chat transcript he sent to me:

Chestnykh: Could you tell me if email accounts that are registered with Skype are being verified by sending a message to them? If so, maybe there’s bug in your system?

Skype staff: We send a welcome email to the registered email address whenever a new account is set up using that email.

Chestnykh: OK, that’s what I received. And then you also send other emails with offers to the same account. So, basically, anyone can create an account for any email. Why don’t you verify emails?

Skype staff: Please understand that all of us here at Skype take our customers’ privacy and confidentiality very seriously

To be clear, Chestnykh’s warning to Skype’s customer support staff–likely one they’d received repeatedly–didn’t include that it was possible to reset the password for another account just by registering a new one to that user’s email address. But if Skype had listened, it could have prevented the email registration vulnerability that led to its more critical issue. “These are two separate issues (what I reported and what these guys exposed today),” Chestnykh wrote to me in an email. “However had Skype fixed the issue I reported, the second one (today’s) probably wouldn’t be possible to exploit.”

Prior to Skype’s emergency move to block password resets Wednesday, there were signs that Skype’s security flaws were indeed being used to steal users’ accounts: Kaspersky Labs researcher Costin Raiu points to Russian opposition leader Alexey Navalny, whose account was apparently compromised with the technique Wednesday. “If someone writes to you from Skype, it’s not me,” Navalny wrote on Twitter.

A Skype spokesperson sent me a statement that the company is “reaching out to a small number of users who may have been impacted to assist as necessary” and that “Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.”

Update: Skype has now fixed the issue, according to a spokesperson: ”We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly.”

Given that the Skype flaw persisted for months at the very least, it’s likely more users were exploited before the technique became public. Which offers a useful lesson for companies that receive bug reports from users: Sometimes taking your customers’ privacy and confidentiality seriously requires doing more than repeating that you “take your customers privacy and confidentiality very seriously.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.